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Non-interference, in transitive or intransitive form, is defined here over unbounded (Place/Transition) 
Petri nets. The definitions are adaptations of similar, well-accepted definitions introduced earlier 
in the framework of labelled transition systems |2]|5]|8]. The interpretation of intransitive non- 
interference which we propose for Petri nets is as follows. A Petri net represents the composition of 
a controlled and a controller systems, possibly sharing places and transitions. Low transitions repre- 
sent local actions of the controlled system, high transitions represent local decisions of the controller, 
and downgrading transitions represent synchronized actions of both components. Intransitive non- 
interference means the impossibility for the controlled system to follow any local strategy that would 
force or dodge synchronized actions depending upon the decisions taken by the controller after the 
last synchronized action. The fact that both language equivalence and bisimulation equivalence are 
undecidable for unbounded labelled Petri nets might be seen as an indication that non-interference 
properties based on these equivalences cannot be decided. We prove the opposite, providing results 
of decidability of non-interference over a representative class of infinite state systems. 

1 Introduction 

Non-interference has been defined in the literature as an extensional property based on some observa- 
tional semantics: the high part H (i.e., the secret part) of a system does not interfere with the low part 
L (i.e., the public part) if whatever is done in H produces no visible effect on L. The original notion of 
non-interference in ||6] was defined, using language equivalence, for deterministic automata with outputs. 
Generalized notions of non-interference were then designed to include (nondeterministic) labelled transi- 
tion systems and finer notions of observational semantics such as bisimulation (see, e.g., HllSlI 13 111 91 - 1211 ). 
Recently, the problem of defining suitable non-interference properties has been attacked also in the clas- 
sical model of elementary Petri nets, a special class of Petri nets where places can contain at most one 
token lfT]i2l . When it is necessary to declassify information (e.g., when a secret plan has to be made public 
for realization), the two-level approach (secret/public - H/L) is usually extended with one intermediate 
level of downgrading (D), so that the high actions that have been performed prior to a declassifying 
action are made public by this declassifying action. This security policy is known under the name of 
intransitive noninterference |W| (INI for short) because the information flow relation is considered not 
transitive: even if information flows from H to D and from D to L are allowed, direct flows from H to L 
are forbidden. In [8] intransitive non-interference has been defined for elementary net systems. 

The technical goal of this paper is to show the decidability of intransitive non-interference in the 
extended framework of unbounded (Place/Transition) Petri nets, and this for both definitions based al- 
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tematively on language equivalence or on weak bisimulation equivalence. As both equivalences are 
undecidable for unbounded labelled Petri nets ||9l ifTTI . the decidability of intransitive non-interference 
is not a trivial result. This is however not the first result of this type for infinite-state systems. It was 
actually shown in 131 that Strong Low Bisimulation and Strong Security which is based on the latter 
equivalence can be decided for Parallel While Programs defined over expressions from decidable first 
order theories. Decidability is also established in fj] for Strong Dynamic Security that takes both down- 
grading and upgrading into account. In that work, decidability comes for a large part from the property of 
Strong Low Bisimulation to envisage implicitly through its recursive definition all possible modifications 
of the dynamic store by a concurrent context (without any effective definition). In our work, decidability 
comes also for a large part from the fact that our basic security properties are NDC (NonDeducibility on 
Composition) and its bisimulation version BNDC [4,5], hence we envisage implicitly arbitrary concur- 
rent contexts defined by Petri nets with high-level transitions. Now, the results presented in [3 1 concern 
language based security whereas our results concern discrete event systems security. As a matter of fact, 
both settings do not compare: on the one hand, owing to the impossibility of testing places for zero, un- 
bounded Place/Transition nets have less computing power than Parallel Write Programs, but on the other 
hand they have labeled transition semantics whereas Parallel Write Programs have unlabeled transition 
semantics. 



Let us now explain the meaning of non-interference in the context of systems and control. In the 
Ramadge and Wonham approach to supervisory control for safety properties of discrete event systems 
II161I17II . one considers closed loop systems made of a plant (the system under control) and a controller 
that may share actions but have disjoint sets of local states. Synchronization on shared actions allows 
the controller to observe the plant and to disable selected actions of the plant. Actions of the plant may 
be invisible to the controller, but all actions of the controller are shared with the plant and synchronized. 
Moreover controllers are deterministic, hence the current state of the controller may be inferred from the 
past behaviour of the plant. In the present paper, the closed system made of the plant and the controller is 
modelled by an unbounded Petri net with three levels of transitions L, D and H. A place may count e.g. an 
unbounded number of clients or goods. Transitions in L represent actions of the plant alone. Transitions 
in D represent synchronized actions of the plant and the controller. Transitions in H represent actions 
of the controller alone. Here the controller can check and modify proactively the global state to orient 
runs towards reaching some set of states or to maximize some profit. Intransitive non-interference means 
the impossibility for the controlled system, seen as the adversary of the controller, to win by forcing 
or dodging synchronized actions that depend upon the decisions taken by the controller after the last 
synchronized action. An example is given in Section |4] 

We are mainly interested in intransitive non-interference. Nevertheless, in a large part of the paper, 
we shall focus on classical non-interference, in order to establish first the technical results in a simpler 
framework. In Section |2] we recall the basics of labeled transition systems and Petri nets. Section |3] 
presents the definitions of classical non-interference notions for PT-nets, and proves that both language 
equivalence and weak bisimulation equivalence based notions of classical non-interference are decid- 
able. Section m presents the definition of intransitive non-interference for PT-nets, introduces examples 
showing the practical significance of this notion in the context of discrete event systems, and provides 
decidability results extending the results of Section |3] Section [5] reports some conclusive remarks. A 
short appendix recalls some results on Petri nets and semi-linear sets used in our proofs. 



18 



Deciding NI over Unbounded PN 



2 Background 

2.1 Transition systems and bisimulations 

Definition 2.1 (LTS). A labeled transition system over a set o/ labels £ is a tuple 3" = (Q, r,^o) where 
Q is a set o/ states, qo is the initial state, and T CQxLxQis a set o/ labeled transitions. An LTS 
is said to be deterministic if{q,(J,q') ET and {q,(J,q") ET entail q' = q". 

Definition 2.2 (LTS under partial observation). A partially observed LTS is an LTS 3 = {Q, T,qo) over 
a set of labels E which is partitioned into observable labels o G E,, (for convenience, we assume that 
£ ^ Ho) cmd unobservable labels T G r„o- In a partially observed LTS, q — >■* q' denotes the least binary 
relation on states such that q — qfor all q € Q, q q' for all {q, T, q') G T with T G Ej^, and q q' 
whenever q — q" and q" — q' for some q". 

Definition 2.3 (Language equivalence). The language of a partially observed LTS is the set of all finite 

words ai 02 . . . On ( including £ which corresponds ton = 0) such that qo — t-* qi q[ qi --^ q^... 
qn q'nfor some adequate sequence of states qi and q'^. Two partially observed LTS's 3 and 3' are 
language equivalent { in notation, 3 ~ j if they have the same language. 

Definition 2.4 (Weak simulation). Given a set of labels Z = £<, ur„o and two partially observed LTS's 
3^ and 3' over E, 3 is weakly simulated by 3' {or 3' weakly simulates 3) if there exists a binary 
relation R QQ>^ Q', called a weak simulation, such that (^0)?o) £ R the following requirements are 
satisfied for all {q\ ,q[) G R, and for all a e E„ and t G T^uo- 

• ifq\ q2 then (B^/j) : {q2,q'2) € R and q\ — q'l -^q^ — ^* ^2' 

• if{qi,T,q2) G T then (B^/j) : {q2,q'2) &Randq\ cl^. 

If ^Tis simulated by 3' , then the language of 3 is included in the language of 3' . 

Definition 2.5 (Weak bisimilarity). Given a set of labels E = UE„o. two partially observed LTS's 

3 = {Q, T,qo) and 3' = {Q', T',q[^) over Z are weakly bisimilar (in notation, 3 k, 3') if and only if 
there exists some binary relation RQQ^Q', called a weak bisimulation, such that {qo,qo) ^R and both 
R and R~^ are weak simulations. 

If 3 and 3' are weakly bisimilar, then they are language equivalent. 

2.2 Place/Transition Petri nets 

In order to keep the presentation concise, we omit here the basic definition of Petri nets which may be 
found in an appendix together with some classical decidability results. 

Definition 2.6 (PT-net system). A PT-net system ,yV = {P,T,F,Mo) is a PT-net with an initial marking 
Mq. The reachability set RS{^) of is the set of all markings that may be reached from Mq by 
sequences of transitions of the net. The reachability graph RG{jV) of is the LTS with the set of states 
[Mo) and the initial state Mq, where [Mq) = and there is a transition from M to M' labeled with 

t iffM[t)M'. Given jV = {P,T,F,Mo), the underlying net is '^{jV) = {P,T,F). For convenience, we 
write = {'^{,yV),MQ). 

Definition 2.7 (Composition of net systems). Given two PT-net systems = (fi , Ti ,Fi ,Mi,o) and J^2 = 
{P2 ,T2,F2, M2fl ) such that Pi H P2 = 0. their composition JV\ \ ,J/2 is the PT-net system {P.,T,F, Mq ) where 
P is the union of Pi and P2, T is the union ofTi and T2, and F and Mq are the unions of the maps Fi and 
Mifi respectively for i=l,2. Also /e? (^ ) | (=y^) = (.^K | 
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Note that synchronisation occurs over those transitions that are shared by the two nets, that is, for a 
transition t that occurs both in Ti and T2, we have that, e.g., F{p,t) = F\ {p,t) if p € Pi, F{p,t) = F2{p,t) 
otherwise. 

Definition 2.8 (Restriction of a net system). Given a PT-net system .JV = {P,T,F,Mo) and a subset of 
transitions T' C T, let JV \T' = {P,T \ T',F' ,Mo) where F' is the induced restriction of F on T\ T'. 
Also let ^ (^) \ r' = (P, r \ T\F'). 

Definition 2.9 (Labeled net system). A labeled net system A) is a PT-net system jy = {P, T,F,Mq) 
with a transition labelling map A : T — > U {e} (the subscript o in Eq means an alphabet of observa- 
tions). The labeled reachability graph of [J^ ,X) is the partially observed LTS over £ = Zo U {e} which 
derives from RG{^) by replacing each transition M[t)M' with a corresponding transition {M,)i{t),M'). 

Definition 2.10 (Weak simulation). Given two labeled net systems {,jV ,X) and over the same 

set of labels L^, [jV ,X ) is weakly simulated by [jV if the labeled reachability graph of .JV is weakly 
simulated by the labeled reachability graph of JV' . 

Definition 2.11 (Equivalences of labeled net systems). Two labeled net systems (.jY ,X) and (^', A') 
over the same set of labels ^f^-' 

• language equivalent (in notation, (^,A) ~ (.JV' ,X') or for short .JV when the labelling 
maps are clear from the context) if their labeled reachability graphs are language equivalent; 

• weakly bisimilar (in notation, (.jV ^X) (^',A') or for short .jY .jY' when the labelling maps 
are clear from the context) if their labeled reachability graphs are weakly bisimilar. 

A weak bisimulation between the labeled reachability graphs of two labeled net systems is called a weak 
bisimulation between them. 

A particular case is with partially observed net systems, i.e. when JLg — Tq QT,X{t)=tfoTt £To, 
and A(f) = e for ? € r \ Tg. For partially observed net systems, {,yV ,X) ~ {,jV' ,X') if and only if 
the reachability graphs of and JY' , considered as partially observed LTS's with r„o = T\To, are 
language equivalent in the sense of Definition 12.31 In the same conditions, A) « (^',A') if and 
only if RG{J^) ^ RG{,A") in the sense of DefinitionO 

Proposition 2.12. IfX is the identity, [JY ,X) ^ i^',X) jJ(^,A) ~ (^',A) 

3 Classical non-interference in PT-nets 

In this section, we focus on systems that can perform two kinds of actions: high-level actions, represent- 
ing the interaction of the system with high-level users, and low-level actions, representing the interaction 
of the system with low-level users. The system has the property of non-interference if the interplay be- 
tween its low-level part and high-level part cannot affect the low level user's view of the system, even 
assuming that the low-level user knows the structure of the system. As already said in the introduc- 
tion, the goal of this section is to provide the technical basis that we need for showing subsequently 
the decidability of intransitive non-interference for PT-nets, which we feel has more direct interest for 
applications in the context of discrete event systems. We must therefore postpone the presentation of 
motivating examples. 

Definition 3.1 (Two-level net system). A two-level PT-net system is a PT-net system .jY = {P,T,F,Mq) 
whose set of transitions T is partitioned into low level transitions I €L and high level transitions h €H, 
such that T = LUH and LtlH = (l). A net system JY is a high-level net system if all transitions in T are 
high-level transitions. It is a low-level net system if all transitions in T are low-level transitions. 
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Henceforth, two-level net systems are considered as partially observed net systems where the tran- 
sitions in L are observable while the transitions in H are unobservable (Eo = L and "Luo = H). This 
interpretation applies to all instances of the relations J/' ~ .yV' or .yV yV' between two-level net sys- 
tems. We denote by ^{yV) the language of a two-level net system .yV , that is to say, the set of images 
X{t\t2 ■ ■ - tn) of sequences of transitions Mo[fif2 • • ■tn)M under the labelling map X{t) = t for t ^ L and 
X{t) = e for t e H. 

Definition 3.2 (NDC-BNDC). A two-level net system ,JV has the property NDC (Non-Deducibility on 
Compositions), resp. BNDC (Bisimulation-Based Non-Deducibility on Compositions), if for any high- 
level net system JV' with a set of transitions H' not intersecting L, the two-level net systems yV\H and 
\ {H\H') are language equivalent, resp. weakly bisimilar 

The definitions of NDC and BNDC are very strong, and their verification is indeed quite demanding: 
infinitely many equivalence checks are required, one for each choice of a high-level net system . 
Moreover, each equivalence check may be a problem, as both language equivalence and bisimulation 
equivalence are undecidable over unbounded labeled PT-nets and likewise over unbounded partially ob- 
served PT-nets |[9|[TT|. We shall discuss about the strength of these notions in section HI For the moment, 
what we need is an alternative characterization of these properties, more amenable for an algorithmic 
treatment in view of showing decidability. 

3.1 Deciding on NDC 

In this section, we show that jV enjoys NDC if and only if ^ and ,jV \H are language equivalent. 

Proposition 3.3. For any high-level net system yV' with set of transitions H' not intersecting L, jV\H is 
weakly simulated by {yV\jV) \ {H\H') which in turn is weakly simulated by .JV (where all net systems 
under consideration have the same set of observable transitions =1^)- 

Proof. Any transition from L has similar place neighbourhoods in JV\H, {yV\ .yV') \ {H\H') and .yV , 
and the transitions from L and H' have disjoint place neighbourhoods in {■yV\ jV') \ {H\ H'). □ 

Proposition 3.4. jV has the property NDC iff yV ~ yV \H. Moreover, this property can be decided. 

Proof. By definition, JV has the property NDC iff, for any high-level net system .J/^' with a set of 
transitions H' not intersecting L, the two-level net systems yV\H and (^| .J/') \ {H\H') are language 
equivalent. Now, the chain of inclusion relations ^{yr\H) C ^{{yVlyV') \ {H\H')) C ^{yV) 
holds for Proposition 13.31 Both bounds are reached for some net system yV'; indeed, the lower bound 
is reached when has no place and H' = 0, and the upper bound is reached when has no place 
and H' = H. Suppose .jV has the property NDC, then ^{yV\H) = Se{{J^\yV') \ {H\H')) = ^(yV) 
for yV' realizing the upper bound. Conversely, suppose that ^{yV\H) = ^(yV), then necessarily 
^{yV\H) = ^{(yV\yV') \ {H\H')). Hence, the first claim in the proposition has been estabhshed. 
As all transitions are observable in the net system yV\H, the language ^{^\H) is a free Petri net 
language. By E. Pelz's theorem and corollary (Theorem 16.4 1 in the appendix), one can decide whether 
^{y^) C ^(o/K \//), and hence whether the two languages are equal. □ 

Example 3.5. The net system jV[ of Figure\l\a) is insecure, as yV\ can perform the low transition I at 
some stage, while yV\ \ H cannot. On the contrary, the net system y¥i in Figure\l\b) enjoys NDC. 
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Figure 1 : Two simple two-level net systems 
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Figure 2: An infinite-state net system (I.h.s.) and its labeled reachability graph (r.h.s.) 



Example 3.6. Consider the disconnected net system .jY in Figure^(l.h.s.). Intuitively, we expect that this 
system is secure because the high part of the net (the left part) and the low part of the net (the right part) 
are disconnected and so it appears that no interference is possible. In view of Definition \3.2\ it seems 
however difficult to verify this property by direct inspection of the infinite labeled reachability graph of 
JV shown in Figure\2\(rh.s.). With the help of Proposition \3.4\ this verification becomes straightforward: 
the transition system that generates the language J£(jY \ H), which corresponds with the left column 
of the picture, and the deterministic transition system that generates the language J^{jV) (obtained by 
replacing all labels hi by e and then applying the usual subset construction) are indeed identical. 



3.2 Reducing BNDC to SBNDC 

For BNDC, things are a bit more complex, although we have the following property. 
Lemma 3.7. IfJi^ has the property BNDC, then J/' ^\H. 

Proof. Let J^' be the high-level net system with no place and with the set of transitions H' = H, then 
the reachability graphs of ^ and {j'^\.yV') \ {H\H') are isomorphic, hence they are weakly bisimilar, 
that is ^ S3 {J>^\jV') \ {H\H'). If ^ has the property BNDC, then f« {J^\^') \ {H\H'), 

and the lemma follows since k, is an equivalence. □ 

Example 3.8. Consider the net system .jV in Figure [J] JV is NDC because .jY ~ .jY \ H. However, 
jV is not BNDC because jV 96 .jY \ H. Indeed, this net is insecure: a low-level user who is unable to 
perform transition I can deduce from this failure that the high-level transition h has been performed. 

In the rest of the section, we show that .yV enjoys BNDC if and only if it enjoys the property SBNDC 
defined below. 

Definition 3.9 (SBNDC). A two-level net system jY has the property SBNDC (Bisimulation-Based 
Strong Non-Deducibility on Compositions) if, for any reachable marking Mi of jY = {N,Mo) and for 
any high-level transition h £ H, Mi [h)Mi entails that {N\H,Mi) and {N\H ,Mi) are weakly bisimilar 



22 



Deciding NI over Unbounded PN 




h I 



Figure 3: A simple two-level net system 



Note that, in view of Proposition 12.121 the relation between Mi and M2 required in Definition 13.91 
may be equivalently expressed as ^{^\H,Mi) = {Jt^ \H ,M2) . 

Definition 3.10. Let R C RS{J\^ \ H) x RS{jV) be the binary relation on markings which is generated 
from the axiom MqRMq by the following two inference rules where h and I € L: 

• M\RM2 and Mi = M[ and M2[h)M'2 entail M[RM'2 

• M\RM2 and Mi [l)M[ and M2[l)M2 entail M[RM2 

Paraphrasing the definition, MRM' if and only if there exist w € L* and w' € {LUH)* such that 
Mo[w)M, Mo[w')M', and w is the projection of w' on L*. In the specific case where ^ is BNDC, /? is a 
weak bisimulation between ■yV\H and and it is indeed the least weak bisimulation between them. 

Lemma 3.11. Let JV = (N,Mq) be a net system with the BNDC property and let Mi and M2 be reachable 
markings ofJ^\Hand .JV , respectively. lfMiRM2, then ^{N\H,Mi) = ^{N\H,M2). 

Proof. As M1RM2, there exist w e L* and w' G (LUH)* such that Mo[w)Mi, Mo[w')M2, and w is the 
projection of w' on L*. Let = Iw'l — |w| be the difference of length between w' and w. Consider 
the high-level net system = {K,Mk) where K is a. net with a unique place p/^, the set of transitions 
H, and flow relations F{pk,h) = 1 and F{h,pk) = for every transition h, and where Mk{pk) = k. 
Let Mq and be the markings of N' = '^{jY\^), extending Mq and M2, respectively, such that 
MQ{pk) = k and M'2{pk) = 0. By construction, Mq[w')M2 in Jt^\,:Xf. As ^ has the property BNDC 
and ^ is a high-level net system, \H ^ {jV\J^)\{H\H) = . As a\\ transitions of Ji^\H 

are observable and w is the observable projection of w' , Mi and are two weakly bisimilar markings 
of J^\H and hence ^{N\H,Mi) = ^{N\K,M'2)- As M'2{pk) = 0, no transition in H can 

occur in any sequence fired from mN\K, and therefore J^{N\K,M2) = ^{N\H,M2). Altogether, 
^{N\H,Mi)=^{N\H,M2). ' □ 

Proposition 3.12. ^ = {N,Mo) has the property BNDC iff for all reachable markings Mi and M2 of 
N\H andN, respectively, M1RM2 entails ^\n\H,Mi) = ^{N\H,M2). 

Proof. The direct implication has already been established. To show the converse implication, consider 
any high-level net system with set of transitions H' not intersecting L. Let B be the relation between 
the reachable markings of and (^|^') \ {H\H') defined as follows. Let (M2IM2) denote 

the marking of {^\ .yV') that projects on the markings M2 and M'2 of jV and jV\ respectively. Then, 
let MiB{M2\M'2) iff M1RM2. Assume that MxRM2 entails ^(N\H,M{) = ^{N\H,M2). We will 
show that B is a weak bisimulation between and {^\ ■JV') \ {H\H'), entailing that .yV has the 

property BNDC. As M1RM2 for Mi = Mq and M2 = Mq, the relation B holds between the initial states 
of the two net systems. Now consider any occurrence MiB {M2\M2) of the relation B, hence M1RM2 (by 
construction of B). 

• LetMi[l)Mi for / G^. As M1RM2 entails ^{N\H,Mj) = Jf{N\H,M2), necessarily, M2[l)M2 
for some marking M2, and then by definition of R, M1RM2. Thus, {M2\M'2)[l){M2\M'2) with 
MiB{M2\M'2). 
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• Let (M2|M^)[;)(M2|M^) for / G L. ASM1RM2 entails ^{N\H,Mi) = ^{N\H,M2), necessarily 
Ml [l)Mi for some marking Mi such that M1RM2, hence MiB (M2I Mj) by definition of B. 

• Let {M2\M2)[h){M2\M2) for h eH, then certainly M2[/j)M2 in Suppose Mi[h)M2, then we 
have also M1RM2 by definition of R, hence MiB(M2|M2) by definition of B. 

Summing up, B is a weak bisimulation and ^ has the property BNDC. □ 

Proposition 3.13. ^yV has the property SBNDC iff for any reachable marking M\ of .jV = {N,Mq) and 
for any high-level transition h^H,Mi [h)M2 entails that ^{^\H ,M\) = ^{J^\H ,M2). 

Proof. As for ,jV\H the labelling is the identity X{1) = I, the thesis follows by Proposition 12. 121 □ 

Theorem 3.14. ^ has the property BNDC iff it has the property SBNDC. 

Proof Suppose that ^ has the property BNDC. Then , by Lemma 13771 ,jV ,yV\H, hence if (^) = 
^{^\H). Let Mq[s)My in then necessarily, Mq[s')M[ m ^\H for s' defined as the observable 
projection of s. Thus M[RMi by definition of R. As Mi [h)M2, we have also M[RM2. By Proposition |3J2l 
^(^\//,Mi) = ^(^\//,M;) = if (^\//,M2), hence ^ has the property SBNDC. 

Now assume that .J/' has the property SBNDC. By Proposition 13.121 in order to prove that =yK has 
the property BNDC, it suffices to show that M1RM2 entails if(^ \//,Mi) = ^{J^\H,M2) for all 
reachable markings Mi and M2 of ^ \H and respectively. Let Mi and M2 be two such markings 
and assume that M1RM2. In view of Definition l3.10[ this relation has been derived from the axiom MRM 
using the two inference rules (where we have exchanged the M,- and the M- from Definition l3.10l ): 

• M;/?M^ and M[ = Mi and M^[/j)M2 entail M1RM2 

• M{RM^_ and M[ [l)Mi and M^[/)M2 entail M1RM2 

If Ml = M2, then there is nothing to prove. In the converse case, one can assume by induction on the 
derivation of M1RM2 that if \//,Mj) = if \//,M2). The desired conclusion follows then from 
Definition 13.91 for the first rule, and from the definition of R and the injective labelling of nets for the 
second rule. □ 

Despite the fact that SBNDC requires infinitely many equivalence checks, one for each reachable 
marking enabling a high-level transition, it (and hence also BNDC) can be decided, as will be seen in the 
next section. 

3.3 Deciding SBNDC 

In this section, we reduce SBNDC to the conjunction, for all high-level transitions h and for all low-level 
transitions /, of a predicate P{h,l) meaning that the enabling or disabling of / in the net after a sequence 
of low transitions 5 € L* gives no indication on whether h has been fired immediately before s. 

Definition 3.15. Given a two-level net system ,yV and two transitions h&H and I (zL, we say that P{h, I) 
holds iff for any words s e L* and w € (LUH)*, if Mq[w)M\, Mi[h)M2, Mi[s)M3, and M2[s)M4, then 
Mill) iffM4[/). 

Figure m shows a situation where P{h,l) is not satisfied, because / is enabled at M4 but not at M3. 
This corresponds roughly to causal information flow |2 | from h to /. The other situation in which P{h,l) 
is not satisfied is the symmetric one, when / is enabled at M3 but disabled at M4; this roughly corresponds 
to conflict information flow ||2l from htol. 
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w G (LUH)* 

Mo 

Figure 4: Illustration of Property P{h,l) 

Proposition 3.16. ^ has the property SBNDC iff P{h, 1) holds for any high-level action h ^ H and for 
any low-level action I ^L. 

Proof. This is a direct consequence of Proposition 13.131 Indeed, Mi [h)M2 and P{h, I) for all / entail 

^{^\H,Mi)=^{J^\H,M2), and conversely, ^{J^ \H ,Mi) = \H ,M2) for all transitions 

Ml [h)M2 entail P{h, I) for all /. □ 

We will now show that P{hJ) is a decidable property, entailing that one can decide whether a given 
net system .yV has the property SBNDC (because in a finite net, there are finitely many pairs {h,l)). 

Proposition 3.17. P{h,l) is a decidable property. 

Proof. Let a net ^ with initial marking Mq and two fixed transitions h £ H and / G L be given. Let ^i 
be an exact copy of with place set Pi, except that it also contains another 'local' copy l[ of transition 
I. Let ^ be another exact copy of with place set P2 (disjoint from Pi), except that it also contains 
a local copy I2 of transition I and a local copy h' of transition h. Let be defined as plus two 

further places x and y and the following extension of F': 

(a) X is connected to all transitions in // by a side-condition loop. 

(b) F'{x,h') = \,F'{h\y) = l,F'{y,l[) = 1 andF'(3;,Z^) = 1. 

Finally, let x be initially marked with 1 token and y with tokens. The idea is that .J>^' contains two 
components, one simulating the path from Mq to M3 in Figure |4l and another one simulating the path 
from Mq to M4, if such paths exist. 

It is claimed that P(/i, /) holds true in if and only if in the net ./K' so constructed, it is not possible 
to reach a marking M' such that 

(M'[/'i) A -M'[/^)) V {-^M'[l[) AM'll'^)). (1) 

To see (=>), suppose that Mq[v)M' where Mq is the initial marking of defined above, and where M' 
satisfies ([Til. By (b) and because M' enables either l[ or /j, h' occurs exactly once in v, and neither l[ nor 
^2 occur in v. Hence v can be split as Mq[vi/i'v2)M' such that vi and V2 contain only transitions of HUL. 
By (a), V2 contains only transitions from L. Because h' does not change the tokens on place set Pi, V1V2 is 
an execution sequence of whence Mo[viV2) in Because h' acts on P2 exactly as h does, vihv2 is 
an execution sequence of whence Mo[vihv2) in Because l[ and act on Pi and P2, respectively, 
as does /, Ml^[vih'v2l'i) in iff Mo[viV2/) in ^ and M,)[v 1/2^2/3) in iff Mo[vihv2l) in Because 
M' satisfies ([T]l, this means that P(/i, /) is false in More precisely, referring to Definition 13 . 1 5 1 putting 
w = vi and s = V2 yields Mo[ws)Mi, and Mo[whs)M4 with -^{M^[l) 4^M4[l)) in 



M2 M, ^ 
► 



Ml 



s£V _ , / 
►•^V^ 

M3 
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This argument can easily be reversed in order to prove (<^). 

The proof is finished because by Corollary 16.81 it is decidable whether or not a marking satisfying 
O is reachable in □ 



Corollary 3.18. SBNDC is decidable for finite PT-nets. 

Corollary 3.19. BNDC is decidable for finite PT-nets. 

Figures |5] and [6] show an example for the construction in the preceding proof. In Figure |5] which 
depicts the net ^ with H = {h} and L = {k, 1} on its left-hand side, we have 

Mo[k)Mi, with -^Ms[l) and Mo[hk)M4 withM4[Z), 

that is, P{h, I) is violated in In Figure [6l which depicts the net resulting from the construction in 
the proof, we have 

M'Q[h'k)M' with -^M'[l[) andM'[Z2), 
that is, we find a reachable marking M' satisfying ([Hi. 




Figure 5: A system violating P{h,l) 





Pi = {Pi,(li,n} 
Pi = {P2,q2,r2} 



Figure 6: A system satisfying ^ for some M' 
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4 Intransitive non-interference 

We enter now a less technical part of the paper, where we try to show how the decision results established 
in Section[3]may be applied to check quality of control in the framework of discrete event systems. As it 
would be difficult to present applications to real systems, we shall consider toy examples which we hope 
will at least make the intuitions clear. 



hi 




Figure 7: A three-level net system 

Our first example is the net system shown in Figure |7] This net is composed of two directed rings 
interconnected by bidirectional arcs plus a sink place (in the center) fed by three transitions connected to 
both rings. Each arc from a place /? to a transition t means a flow F{p,t) = 1. Each arc from a transition t 
to a place p means a flow F{t,p) = 1, except for the arc from li labeled with 2, meaning thai F{li,p) = 2 
for the target place p. The internal ring formed with the low-level transitions hji, h represents a flock 
of prey that travel clockwise from place to place, and split each time they go through /i. The external 
ring formed with the high-level transitions /ii,/j2,/i3 represents an observer that also travels clockwise 
and watches the prey but moves only if some prey has been detected in the location currently observed. 
The three (downgrading) transitions di,d2, di, represent the actions of a predator that receives delayed 
notification of the presence of prey from the observer, and therefore anticipates their possible moves 
by one position. The objective of the observer and predator is of course to catch prey. The transitions 
hihih are scheduled by a guardian that pursues the opposite objective. Whenever a prey is caught, 
this has direct effect on the set of the possible schedules in {h,li,hY , hence there exist interferences 
between di,d2,d3 and li,l2,h- If the set of possible schedules in {hjijj}* was directly affected by the 
transitions in /ii , /i2 , /i3 , the guardian could glean information on the position of the observer and therefore 
drive the prey to safe locations. This is actually not the case, because the high-level transitions do not 
affect the contents of the places connected to the low-level transitions. The fact that each di transition 
reveals that the last transition of the observer was the corresponding hi makes no problem since the prey 
has already been caught. This is the essence of downgrading transitions and intransitive non-interference 
in PT-nets, whose definitions follow. 

Definition 4.1 (Three-level net system). A three-level PT-net system is a PT-net system ,jV = [P, T,F,Mo) 
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whose set T of transitions is partitioned into low level transitions I £L, downgrading transitions d (zD, 
and high level transitions h gH, such that T = LUDUH and the sets L, D and H do not intersect. 

The low-level transitions are supposed to be observed by the low user, while the high-level transi- 
tions cannot be observed and should hopefully be kept secret, i.e. they should not be revealed to the 
low user by the observation of the firing sequences in which they occur. The downgrading transitions 
may be observed by the low user, but when such a transition occurs, the requirement that all high-level 
transitions that possibly occurred before should be kept secret is cancelled. This is a strong form of 
declassification, but we do not know at present about the decidability of INI or BINI for more flexible 
forms of declassification, where each transition J € D would declassify a corresponding subset Hd of H 
("Lemma 1431 which is crucial to our proofs, does not apply in such a case). 

Definition 4.2 (INI-BINI). A three-level net system {N ,Mq) has the property INI (Intransitive Non- 
interference), resp. BINI (Bisimulation-Based Intransitive Non-interference) iff the two-level net system 
{N\D,M) has the property NDC, resp. BNDC, for M = Mq and for any marking M such that Mo[vd)M 
in N for some sequence u € T* and for some downgrading transition d (zD. 

The intuition under Definition 14.21 is as follows. The secret to be covered is that some high-level 
transition h has occurred after the last downgrading transition d, if any such transition was ever fired in 
c/K. Whenever some downgrading transition d is fired, the current secret is deemed obsolete (the high- 
level transitions that may have occurred before may be revealed by the downgrading transition itself or 
by subsequent low-level transitions), and a new secret (namely, that some high-level transition may have 
occurred after the new downgrading transition) is decreed. Thus, INI (resp. BINI) is just a clocked 
version of NDC (resp. BNDC), where the ticks of the clock are the downgrading transitions. INI/BINI 
are weakenings of NDC/BNDC but they are still very strong security properties. We feel that such strong 
properties are really needed in the general context of games, including discrete event systems control as a 
particular case, where any piece of information leaked about the strategy of a player to reach its objective 
can be used by the adversary to the opposite goal. 




Figure 8: Another three-level net system 

In order to illustrate better non-interference in unbounded PT-nets, we would like to present a second 
example in which the high-level transitions do modify the (contents of the) input places of the low-level 
transitions. Consider the net system shown in Figure |8] The low-level transition Zl is always enabled and 
it represents the arrival of goods in a shop. The low-level transition 12 represents a sale operation and 
it can only be performed when the shop is open, which is indicated by the presence of one token in the 
leftmost place. The downgrading transitions dl (closing the shop) and d2 (opening the shop) are operated 
by a guard whose friend takes one article from the shop after closing time (high-level transition hi) and 
brings it back before opening (high-level transition hi). It is easily seen that the two high-level transitions 
form a T-invariant and that 12 cannot be fired between h I and hi because the shop is closed during this 
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period. However, in principle, tlie guard's friend might grab the key of the shop (h\) immediately after 
each release (by h2), and this would impact the low view of the system since the transition 12 could then 
stay blocked forever (blocking may be perceived in weak-bisimulation based semantics). Our definition 
of BINI does not take this pathologic behaviour into account. Intuitively, Definition |4!2] means that high- 
level transitions are transparent to the low-level user (that is to say, to the controlled system) unless they 
cause a starvation of the downgrading transitions (that is to say, of the controller). Therefore, the net 
system of Figure [8]is secure w.r.t. BINI. 

In the rest of the section, we show that both properties INI and BINI can be decided for unbounded 
PT-nets. ^ = {N,Mo) denotes always a three-level net system where N = {P, T,F) and T is partitioned 
into low-level transitions / G L, high-level transitions h^H, and downgrading transitions d ^ D. 

Lemma 4.3. (A^,Mo) has the property INI iff {N\D,M) ~ {N\{H U D),M) for M = Mq and for any 
marking M such that Mo[vd)M (in N) with V GT* and d e D. 

Proof. This is a direct application of Proposition 13.41 □ 
Proposition 4.4. One can decide whether {N,Mo) has the property INI 

Proof. First, it can be checked whether {N\D,Mq) ~ (A'^\ (//UD), Mo), because all transitions of the net 
system {N\{HUD),Mo) are observable. As a matter of fact, ^{{N\ {HUD),Mq)) is always included 
in ^{{N\D,Mq)), and by E. Pelz's theorem and corollary (Theorem 16.4 1 in the appendix), the reverse 
inclusion can be decided since ^{{N\ (// UD),M())) is a free PT-net language. 

Now fix some downgrading transition d & D. Let ^4 be the net system (with underlying net N^) 
constructed as follows. 

• N4 has all places of A'^ plus two places p^ and p'^ (the complement of pd). The initial marking Mq^ 
of extends Mq by setting one token in p^ and leaving p'^ empty. 

• Nd has all transitions t of N with flow relations extended by F{pd,t) = 1 and F{t,pd) = 1. 

• Nd has a new transition d' with the same flow relations as d except tha.tF{d' ,pd) = and F (d' , p'^) = 
1 (whereas F{d,pd) = 1 and F{d,p'j) = 0). 

• Nd has a fresh copy t' of each transition t ^ LUH, with the same flow relations as t except that 
F{p'^,t') = 1 and F{t',p'^) = 1 (whereas F{pd,t) = 1 and F{t,pd) = 1). 

• all transitions of Nd, including H and D, are low-level transitions except for H' = {t' \ t £ H}. 

We claim that {N\D,M) ~ (A^\//UD,M) for any M such that Mo[vd)M in for the fixed <i G D and 
for some u G T* iff ^ ~ ^d \ H' (the proof of this claim, easy but a bit lengthy, is given in the annex, 
see Claim 16.91) . As all transitions of ^ \ H' are observable, the language of this net system is a free 
PT-net language. It follows by E. Pelz's theorem and corollary (Theorem 16.4 1 in the appendix) that one 
can decide on the inclusion relation ^(^) C \^')- there are finitely many downgrading 

transitions J G D, by the above claim, one can decide whether a PT-net system has the property INI. □ 

Lemma 4.5. {N,M()) has the property BINI iff for any reachable marking Mi of jV and for any high- 
level transition heH, Mi[h)M2 entails ^{N\{H UD),Mi) = ^{N\{H UD),M2). 

Proof. By Proposition ^. 13l and Theorem l3.14l {N,M{)) has the property BINI iff the following entailment 
relation is satisfied for M = Mq and for any marking M such that MQ[vd)M (in N) for some u G T* and 
deD: 

iSM[w)Mi inN\DfoT some w G (HUL)* 
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and Ml [h)M2 in N\D for some heH, 
thm^{N\{HUD),Mi)=^{N\{HUD),M2). 

Grouping the case M = Mq with the other cases, one obtains the lemma. □ 

Definition 4.6. Given a three-level net system .jV and two transitions h^H and I ^L,we say that Q{h,l) 
holds iff for any words X^T* and s G V, ifMo [x)Mi, Mi [h)M2, Mi [s)M3, and M2 [s)M4, then M3 [I) iff 
M4I). 

Proposition 4.7. One can decide whether {N,Mo) has the property BINI. 

Proof. By Lemma 1431 ^ has the property BINI iff Q{h,l) holds for every high-level action h and for 
every low-level action /. As Q{h,l) is the same as P{h,l), up to replacing H with HUD, Q{h,l) is 
decidable. Therefore, the BINI property can be decided for PT-net systems. □ 

As nets are labeled injectively on transitions, ^{N\{H U D) ,Mi) = ^{N\{H U D) ,M2) iff Mi «M2 
w.r.t. Lo = L. Therefore, BINI coincides exactly with the property BNID specified by Definition 5.7 
in H. 

5 Conclusion and future work 

The examples we have discussed seem to suggest that there is a clear, structural reason why an inter- 
ference is present in a net system: either a high-level transition is causing a low-level transition (e.g.. 
Example 13.51) or a high-level transition and a low-level one are competing for the same token in a place 
(e.g.. Example 13.81) . As a matter of fact, in f2l one of the authors showed that precisely this is the case 
when restricting net systems to elementary net systems (which are essentially PT-nets where each place 
can contain at most one token). More precisely, a (contact-free) elementary net system ^ is BNDC if 
and only if it is never the case that a low transition consumes a token that must have been produced by a 
high transition nor that a high transition and a low-transition compete for the very same token in a place. 




Figure 9: A non BNDC net 

Unfortunately, generalizing this characterization in the setting of general PT-nets seems problematic. 
Consider the net system ^ shown in Figure |9] Let Mq be the initial marking indicated in the figure. Set 
Mo[h)Mi and set also Mo[lil2)M2 and Mi [/i/2)M3. Clearly, transition I3 is enabled at M2 but disabled at 
M3, hence ^ is not BNDC. However, in the firing sequence Molhhhh), the token consumed from place 
s by the low-level transition Z3 may have been produced by the high-level transition h but it may also have 
been produced alternatively by the low-level transition li . 

As regards continuations of this work, it would be useful to look at flexible versions of downgrading, 
where each downgrading action bears upon a specific subset of high-level actions. A wider perspective 
would be to investigate non-interference in the framework of games of partial information, see e.g. lITSl 
for a survey on Games for Security. 
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6 Annex 

Definition 6.1 (PT-nets). A PT-net is a bi-partite graph N = {P, T,F), where P and T are finite disjoint 
sets of vertices, called places and transitions, respectively, and F : (P x T) U {T x P) ^ JN is a set of 
directed edges with non-negative integer weights. A marking ofN is a map M : P — )• IN. A transition 
t (zT is enabled at a marking M (notation:M[t) ) ifM{p) > F{p,t)for all places p £ P. It t is enabled at 
M, then it can be fired, leading to the new marking M' (notation: M[t)M') defined by M'{p) = M{p) + 
F(t,p)—F(p,t) for all p £P. These definitions are extended inductively to transition sequences s € T*: 
for the empty sequence e, M[s) and M[s)M are always true; for a non-empty sequence st with t 
M[st) (or M[st)M') iff M[s)M" and M"[t) (or M"[t)M', respectively) for some M". A marking M' is 
reachable from a marking M if M[s)M' for some s G T*. The set of markings reachable from M is 
denoted by \M). 

Theorem 6.2 (Mayr \\2Y ). Given a PT-net N and two markings M and M', one can decide whether M' 
is reachable from M. 

Definition 6.3 (Free language of a net system). The free language of a Petri net system ,jV is the language 
of the LTS RG{^), where all transitions are considered observable, i.e., Zo = T. In this case, we write 
J^{J\^) to denote the free language. 

Tlieorem 6.4 (Pelz [14]). The complement in £* of the free language of a net system may be generated 
by a labeled net {,yV ,X) with a finite set of final partial markings, characterized by a formula ^ built 
from the logical connectives A and V and atomic formulas M{p) = i (with p G P and / € INj. In other 
words, a sequence s GUI belongs to this complement if and only if s = X{t\t2 ■ ■ ■ tn)for some sequence of 
transitions Mo[fif2 • • • tn)M of JV such that M satisfies . 

Corollary 6.5 (Pelz). The problem whether the language of a labeled net system .jV\ is included in the 
free language of a net system .JY^ is decidable. 

Proof. The language of .yVx is included in the free language of .jYi if and only if no marking satisfying 
^ can be reached in .J^x \ where is the complementary net of ^ and is the logical formula 
defining the final partial markings of The latter reachability property can be decided in view of the 
Proposition |6.7| recalled below in this appendix. □ 

In order to make the statement of Proposition 16.7 [ understandable, let us recall first the basics of semi- 
linear sets and their decidable properties. Given a number « G IN, we consider the commutative monoid 
(IN",+) where + denotes the componentwise addition of ?i-vectors and the null ?i-vector is the neutral 
element. Typically, n is the number of places of a Petri net and then IN" is the realm of all possible 
markings of this net (markings are seen as vectors in which each entry defines the number of tokens in 
the corresponding place for some fixed enumeration of the places of the net). 

A subset E C IN" is called linear if it is of the form 



for some specific vectors a G IN" and bi,. . . ,bm G IN". For example, let an unmarked net with n places 
and a transition t be given. Then the set of markings enabling t is linear, since any such marking M can 
be expressed as the following sum: 



E = {a + kybi + .. .+km-b„i | ^i,. . . 



k,n G IN} 



M = Mt + kvbi + ... + kn-b, 



n 
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where Mf is the (unique!) minimal marking enabling t and the bi,. . . ,b„ are the unit vectors correspond- 
ing to the places of the net. The natural numbers k\,.. . ,kn simply describe excess tokens which may be 
present in M but are not needed for enabling t. 

A subset E C Es[" is called semi-linear if it is a finite union of linear sets. For example, if and t2 
are two transitions, then the set of markings enabling t\ or t2 (or both) is semi-linear, since it is the union 
of the set of markings enabling t\ and the set of markings enabling t2. 

Theorem 6.6 (Ginsburg and Spanier |T|). The semi-linear subsets of IN" form an effective boolean 
algebra. 

Thus, if E, E\ and E2 are semi-linear subsets of IN", then so are IN"\£', E\ r\E2 and Ei VJE2. The 
effectiveness part of Ginsburg and Spanier's theorem concerns the possible description of semi-linear 
sets as linear expressions, and it states that the expressions of a composed set (such as £"1 n E2) can be 
computed effectively from the linear expressions of the constituent set(s) (such as Ei and E2). 

Proposition 6.7. Given a PT-net system JV = (P, T,F,Mo) and a semi-linear subset of markings E C N", 
where n= \P\, one can decide whether (some marking in) E can be reached from Mq. 

The above proposition follows from Lemma 4.3 in |TOl where the semi-linear reachability problem 
is reduced to the reachability problem, and from Theorem 16.21 

In this paper, we use Proposition I6.7l and Theorem I6.6l in the special form as follows. 

Corollary 6.8. Let ^ be a PT-net system with initial marking Mq and let ti and t2 be two transitions. 
The question whether there is some marking M G [Mq) with 

iM[ti)A^M[t2)) V {^M[ti)AM[t2)) (2) 

is decidable. 

Proof. The set of all markings M satisfying (O is semi-linear. This follows from Theorem 16.61 together 
with the fact that the set of markings enabling a single transition is linear. The claim now follows directly 
from Proposition 16.71 □ 

We finally give a detailed proof of the claim made in the proof of Proposition 14.41 

Claim 6.9. With the notations used in the proof of Proposition \4.4\ (N \ D.M) ~ {N\H[JD,M)for any 
M such that Mq [vd)M in N for some u G T* iff ./^ ~ ^ \ 

Proof. We need examining closely the relationship between the firing sequences of N and Nd. Let 
MQ[vd)M be a firing sequence of N and let M[ti . . be a firing sequence of N\D. Then MQci[vd)Md 
in ^ where Md{pd) = 1, Md{p'd) = 0, and Md{p) = M{p) for every place p of A'^. Clearly, Md[ti . ..t„) 
is a firing sequence of Nd\D. In a similar way, MQ^[vd')M'^ in jV^ where M'j{pd) = 0, M'^{p'^) = 1, and 
M[i {p) =M{p) for every place p of N. Also clearly, M'^ [t[ ... f,^) is a firing sequence of Nd\D. Conversely, 
consider now a firing sequence MQd[u) in If d' does not occur in u, then Mq[u) in N. If u = vd'w, 
then necessarily, MQ[vd)M for some M in A^, and w = t[...tl^ for some sequence fi . . .f„ G (LUH)* such 
that M[ti ... t„) in N and hence also in N\d. 

Suppose that {N\D,M) ~ {N\HUD,M) for any M such that Mo[vd)M in for the fixed d eD 
and for some u G T*. By construction, any sequence of transitions of ^ not including d' is also a 
sequence of transitions of ^d\H'. Now any sequence of transitions of ^ including d' is of the form 
MQd[vd't[ ...t'n), where no transition from H' occurs in v and t[ ...t'^ is the primed version of some 
sequence ti...t„ e {LUH)*. Then, MQ[vd)M and M[ti ...tn) for some M in N. For all tj let X{tj) = e 
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if tj e H and X{tj) = tj otherwise. As {N\D,M) ~ {N\H [JD,M), one has also M[A(?i) . . . 
Therefore, if we let X'{t'j) = e if t'j € H' and X'{t'j) = t'j otherwise, then M'^[X' {t[) . . . X'{t'J) in Nd\D 
where is the marking of defined with M'^lpd) = 0, M'^{p'^) = 1, and M'^{p) = M{p) for every 
place p of A^. As no transition from H' occurs in x>d'X'{t[). ..V{t'^), this sequence is a firing sequence 
of^d\H'. Thus,^~^\//'. 

In order to establish the converse implication, suppose now that ^ '-^ JV^ \ H' . Consider any 
two firing sequences MQ[vd)M and M[ti ...tn) of N with fi . . . f„ G (L U //)*. By construction of =yf^, 
Mod[vd't[ ...t'n). As no transition from 77' occurs in u, by the above assumption, Moii[vd' X' {t[) . ..X'{t'„)) 
in Jyd\H' where X'{t'j) = s if t'j G H' and X'{t'j) = tj otherwise. Thus, if we set X{tj) = S if tj eH 
and X{tj) = tj otherwise, then M()d[vdX{ti) . . . X{t„)) by construction of ./(^. . As a consequence, 
M[X{ti) . ..X{tn)) in// and hence also in N\H\Jd, concluding the proof of the claim. □ 



